Klaus Jochem

Next generation endpoint protection for end-users

Application virtualization is a great means to deal with malware. In particular ransomware cannot create massive damage if the malicious program is executed in an isolated virtual container which prevents any interaction with the computing environment.

Unfortunately, most vendors of next generation endpoint protection solutions are directed on the protection of large private businesses and administrative bodies. End-user protection is falling increasingly by the wayside. Consumers must rely on inherently weak anti-malware solutions.

By now some products are available which overcome of the most severe deficits of anti-malware solutions. They offer protection e.g. against drive-by downloads, zero-day malware or file-less malware, for private businesses, administrative bodies and end-users alike.

The products of these companies are available for end-users. During the next weeks and posts I will discuss my experience with this products, with special regards to their ability to block zero-day malware and usability.

Today I will share my first experiences with Blue Ridge Networks ‘AppGuardZero Day Malware Protection‘.

AppGuard is installed on top of an anti-malware solution, in my case Windows Defender. In the AppGuard users guide one reads:

‘Conventional “detect and respond” approaches available are not enough in today’s cyber world. AppGuard is a breach prevention defense that stops breaches at the earliest stages. AppGuard delivers a multi-layered defense, protecting the endpoint at multiple points, including launch control, run-time application control, and memory protection to prevent one application from reading or writing to the memory of another. AppGuard protects your computer against certain applications with the greatest risk of malware, such as Microsoft and Adobe products. AppGuard stops the cyber attacks that traditional security products often miss, even zero-day and fileless malware. AppGuard prevents suspicious applications from running and stops even allowed applications such as your browser from performing high-risk activities that might result in an infected computer.’

Great zero-day malware is available from Malwr.com. Let’s get to work.

I used the following sample (zero-day malware, delivered by Microsoft Word document in zip file) for my first test:

Security Notification3.zip is delivered by email. The zip file contains a Word Document which loads a file called harakiri.pfx from the attacker’s command and control server and executes this file afterwards.

At May 24, 2016, 6:46 p.m. only 6 of 57 anti-malware solutions on VirusTotal identified the malware:

Antivirus

Result

Update

AVware

LooksLike.Macro.Malware.b (v)

20160524

Arcabit

HEUR.VBA.Trojan.e

20160524

McAfee

W97M/Downloader.bdx

20160524

Qihoo-360

virus.office.obfuscated.1

20160524

Rising

Trojan.Obfus/VBA@DT!1.A540

20160524

VIPRE

LooksLike.Macro.Malware.b (v)

20160524

With this, Security Notification3.zip is a perfect zero-day malware sample.

After running a standard installation, I customized AppGuard slightly only. I set the protection level to “Locked Down”:

Blue Ridge Networks AppGuard Main Menu

I downloaded the sample file to my test environment and opened the file in word. AppGuard made a great job. The AutoOpen macro downloaded Harakiri.exe to the local temp folder and AppGuard blocked the execution:

AppGuard blocked Execution Notification

I checked some more samples and got the same results in any case: AppGuard blocks the execution of the downloaded files.